A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.
The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.
Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Select THREE.)

1. A. Create a service role that has a composite principal that contains each service that needs the necessary permission
2. B. Configure the role to allow the sts:AssumeRole action.
3. C. Create a service role that has cloudformation.amazonaws.com as the service principa
4. D. Configure the role to allow the sts:AssumeRole action.
5. E. For each required set of permissions, add a separate policy to the role to allow those permission
6. F. Add the ARN of each CloudFormation stack in the resource field of each policy.
7. G. For each required set of permissions, add a separate policy to the role to allow those permission
8. H. Add the ARN of each service that needs the per-missions in the resource field of the corresponding policy.
9. I. Update each stack to use the service role.
10. J. Add a policy to each member role to allow the iam:PassRole actio
11. K. Set the policy's resource field to the ARN of the service role.

Correct Answer: BDF

A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.
Which additional steps should the Security Engineer lake 10 meet this requirement?

1. A. Configure the Amazon inspector agent to use the CVE rule package
2. B. Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
3. C. Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
4. D. Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

Correct Answer: D
you need to configure the Amazon Inspector agent to use the CVE rule package, which is a set of rules that check for vulnerabilities and exposures on your EC2 instances5. You also need to install an additional integration library that enables communication between the Amazon Inspector agent and Security
Hub6. Security Hub is a service that provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices7. The other options are either incorrect or incomplete for meeting the requirement.

A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).
The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.
During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.
How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

1. A. Configure the CloudFront distribution to use the Lambda@Edge featur
2. B. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer request
3. C. Block the request if the rate limit is exceeded.
4. D. Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.
5. E. Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
6. F. Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.

Correct Answer: C
To improve the security at the edge of the solution to defend against a large, layer 7 DDoS attack, the security engineer should do the following:
Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded. This allows the security engineer to use a rule that tracks the number of requests from a single IP address and blocks subsequent requests if they exceed a specified threshold within a specified time period.

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a
24- hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

1. A. Manually rotate a key within KMS to create a new CMK immediately
2. B. Use the KMS import key functionality to execute a delete key operation
3. C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
4. D. Change the KMS CMK alias to immediately prevent any services from using the CMK.

Correct Answer: C
the schedule key deletion function within KMS allows you to specify a waiting period before deleting a customer master key (CMK)4. The minimum waiting period is 7 days and the maximum is 30 days5. This function prevents the CMK from being used for encryption or decryption operations during the waiting period4. The other options are either invalid or ineffective for deleting a CMK within a 24-hour timeframe.

A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.
The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.
Which solution meets these requirements?

1. A. Create an AWS WAF rate-based rule, and attach it to the ALB.
2. B. Update the security group that is attached to the ALB to block the attacking IP addresses.
3. C. Update the ALB subnet's network ACL to block the attacking client IP addresses.
4. D. Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.

Correct Answer: A